#!/bin/bash

PMF=./php-malware-finder
SAMPLES=./data/samples

type yara 2>/dev/null 1>&2 || (echo "[-] Please make sure that yara is installed" && exit 1)

CPT=0
run_test(){
    NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 | grep -c "$2" 2>/dev/null)

    if [[ "$NB_DETECTED" != 1 ]]; then
        echo "[-] $2 was not detected in $1, sorry"
        exit 1
    fi
    CPT=$((CPT+1))
}


# Real samples
run_test cpanel.php  '0x294d:$eval: {eval('
run_test freepbx.php 'ObfuscatedPhp'
run_test freepbx.php '0x72:$eval: { system('
run_test freepbx.php 'DodgyPhp'
run_test freepbx.php '0x31d:$execution: system(base64_decode'

# Classic shells
run_test classic/ajaxshell.php 'DodgyStrings'
run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
run_test classic/angel.php '0x1b:$disable_magic_quotes:'
run_test classic/b374k.php 'ObfuscatedPhp'
run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST'
run_test classic/simattacker.php '0x158:$: fpassthru'
run_test classic/r57.php '0x142a2:$: xp_cmdshell'
run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://'
run_test classic/c99.php '0x3bb4:$eval: {exec('
run_test classic/c100.php '0x4f8d:$eval: {eval('

# Obfuscated php
run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
run_test obfuscators/phpencode.php "ObfuscatedPhp"
run_test obfuscators/phpencode.php "DodgyPhp"

# Artificial samples to test some rules
run_test artificial/obfuscated.php '0x0:$eval: <?php@eval('
run_test artificial/obfuscated.php '0x17:$eval: <?php'
run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
run_test artificial/obfuscated.php '0xf0:$weevely3:'
run_test artificial/obfuscated.php '0x103:$c99_launcher:'
run_test artificial/obfuscated.php '0x117:$variable_variable:'
run_test artificial/dodgy.php '$basedir_bypass:'
run_test artificial/dodgy.php '$basedir_bypass2:'
run_test artificial/dodgy.php '$disable_magic_quotes:'
run_test artificial/dodgy.php '$execution: eval(base64_decode'
run_test artificial/dodgy.php '$execution: base64_decode($_GET'
run_test artificial/dodgy.php '$htaccess:'
run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
run_test artificial/dodgy.php "0xef:\$include: include  ( 'lol.png"
run_test artificial/dodgy.php "\$ini_get: ini_get (  'disable_functions"
run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
run_test artificial/dodgy.php '$shellshock: () { :;};'
run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
run_test artificial/dodgy.php '$various: <!--#exec cmd='
run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'

run_test artificial/bypasses.php 'DodgyPhp'
run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("

# real
run_test real/sucuri_2014_04.php '0x67:$execution3:'
run_test real/novahot.php 'DodgyStrings'
run_test real/guidtz.php '0x286:$non_printables:'
run_test real/ice.php 'double_var'
run_test real/srt.php '$register_function'
run_test real/awvjtnz.php '$reversed:'
run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
run_test real/nano.php '$nano: $x\[f\]('
run_test real/ninja.php '$nano: $x\[0\]('
run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
run_test real/include.php ':$silenced_include: @include'

run_test undetected/smart.php '0x6:$extract:'

echo "[+] Congratz, the $CPT tests succeeded!"
